Critical Bugs Reported in Windows Vista

Microsoft this week alerted users to the fact that two of the security bulletins it issued within its Patch Tuesday release on Aug. 8 pertain to the Windows Vista beta OS. Windows Vista is the first major Microsoft product release that will be serviced with security updates throughout the beta process, according to Vista Product Manager Alex Heaton.

By Jennifer LeClaire
08/18/06 10:35 AM PT

Amid the chatter over fixes included in Microsoft's Patch Tuesday release for this month, the software giant quietly announced that two patches in its Aug. 8 security bulletin also pertain to Windows Vista.

A posting on the Windows Vista Security blog confirmed that MS06-042 and MS06-051 are also intended for Vista Beta 2. Windows Vista is the first major Microsoft product release that will be serviced with security updates throughout the beta process, said Vista Product Manager Alex Heaton.

"We are committed to releasing Windows Vista updates for all MSRC critical class issues that may arise during the beta testing period. We strive to release any Windows Vista updates as soon as possible, but our priority will be to release the updates for Windows products that have been released to manufacturing," Heaton wrote in a blog post this week.

Examining the Vulnerabilities

MS06-042 addresses a critical vulnerability in Internet Explorer that could allow hackers to take remote control over a PC. If a user is logged in with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities would be able to install programs, view, change or delete data, or create new accounts with full user rights.

MS06-051 resolves privately reported vulnerabilities and additional issues discovered in the Windows kernel through internal investigations, Microsoft said. Much like MS06-042, the critical vulnerability could allow attackers to take complete control over a PC.

Updates will no longer be released for Windows Vista Beta 2 after Vista Release Candidate 1 (RC1) has been released, and updates for pre-release versions will not be issued after Windows Vista has been released to manufacturing. Heaton noted that Microsoft does not include information about beta products in formal security bulletins, and referred users to a page on Microsoft's support site for Vista downloads.

Managing Expectations

It is a bad idea to release security updates for Vista while it is still in beta testing, according to Russ Cooper, a senior information security analyst at Cybertrust. From his point of view, there are hard and fast rules about beta deployments, and those do not include support for vulnerabilities.

"It is expected that there are going to be problems with beta software," Cooper told TechNewsWorld. "Security patches should be the least of a company's concern in a beta test because there will be another build next week and reinstalling it on the machines."

Cooper's bigger concern, though, is public expectations around public betas. While he agrees that it's a good idea for the general public to offer companies feedback on beta software, he feels the public should give the software a trial run and remove it rather than expecting the company to offer security fixes that would imply longer-term use.

"If Microsoft commits to security patches for beta, then how do we convince the general public that they should not expect patches on beta releases, and that they should expect other security issues beyond the vulnerabilities that are being identified?" Cooper asks. "This makes the whole issue of betas muddy and it could open a huge can of worms if people begin to think that betas are as good as a final release."